Glossary

Key Terms

App Review

App Review enables us to verify that your app uses our Products and APIs in an approved manner. It is a process that gates access to certain permissions, requiring developers to submit a request to justify platform access. As part of the review process we will test your app to verify that its use of the requested permissions and features follow the permissible usage.

If your app will be used by anyone without a role on the app or a role in a Business Portfolio that is associated with the app where advanced access is required, it must undergo App Review.

Learn more about App Review here.

Data Handling Questions

Completing data handling questions is required for:

Apps that require access to use cases, permissions or features (for some apps this is called advanced access). Apps that have been published live with a use case, or that have advanced access to permissions or features. This must be completed annually as part of the Data Use Checkup (DUC).

These questions are designed to validate that data received from Meta will be processed and transferred securely and in compliance with Meta’s Platform Terms and Developer Policies. You may be asked to complete data handling questions as part of your Data Use Checkup.

Learn more about data handling questions here.

Data Protection Assessment

Data Protection Assessment is a requirement for apps live with use cases or accessing advanced permissions that is designed to assess how developers use, share and protect Platform Data as described in the Meta Platform Terms. When enrolled, an administrator of the app will need to complete a questionnaire based on their app’s access to Platform Data.

You will receive a required action notification in your developer dashboard when it’s time for you to complete the assessment. If you miss this communication, you will also see notifications about the Data Protection Assessment on your App Dashboard.

Learn more about Data Protection Assessment here.

Data Use Checkup (DUC)

The Data Use Checkup is required for developers whose apps have been published live with a use case, or have advanced access to permissions or features.

DUC is an annual assessment that evaluates whether a developer’s continued use of and access to data via Meta APIs is in compliance with Meta’s Platform Terms and Developer Policies. The assessment is focused on the permissions that the app has access to. Data Use Checkup also includes data handling questions (see below).

Learn more about data use checkup here.

Ongoing Reviews

To keep the Meta platform and community safe, and in accordance with our Platform Terms, we periodically review apps for compliance with data and general platform policies by evaluating the user experience your app provides and how your app is using its current permissions, features, and products. This review can happen at any time.

Meta subjects all apps that are published with use cases, permissions, features, or any other advanced access to Platform Data, including app user data, to ongoing reviews unless specifically exempt.

Required Actions

Required actions are notifications that alert an app admin that an action is needed. This can vary from submitting additional information, completing a verification, fixing something, and more. Each required action has a deadline. If the required action is not completed before the deadline, the app will be subjected to an enforcement.

Examples of required actions include, but are not limited to:

  • Responding to notifications of violations of applicable terms or policies Meta’s terms and policies and terms

  • Responding to requests to provide information

  • Following instructions related to upcoming assessments or reviews

  • Making sure to submit information within a provided deadline

0-9

3rd party - In risk management terminology, a 3rd party refers to developers on Meta’s platform (1st party is Meta itself; 2nd party is people that use Meta’s products).

4th party - In risk management terminology, a 4th party refers to the firms that developers rely on to provide services that enable their business (1st party is Meta, 2nd party is Meta’s users, and 3rd party is developers on Meta’s platform).

A

Access token - A credential, like a password, that allows software to call an API to take some action (e.g., read data from a user’s profile).

Admin Audit Logs - Records of actions taken by users with elevated privileges in data systems. Properly configured admin audit logs record actions such as executing programs or scripts, creating or disabling accounts, resetting passwords, changing multifactor authentication configurations, and editing, moving, or deleting log files within a system.

App scoped ID (ASID) - A unique identifier that Meta generates when a person chooses to use an app. ASIDs help improve privacy for users by making it more difficult for data sets to correlate users across apps, as a single user will have different ASIDs in each app.

App secret - A shared secret that Meta makes available to developers via the app dashboard. Possession of the app secret authorizes software to take actions via the Graph API. Developers must ensure unauthorized parties do not access the app secret.

App compromise - Occurs when a malicious actor gains unauthorized access to an organization’s internal network via a misconfiguration or vulnerability in their app (e.g., a software vulnerability in a web app). A defense against app compromise is to perform penetration testing. See also network compromise.

Application container - A container packages up software code and its dependencies so that the app will run on different types of servers (e.g., Linux or Windows Server). A developer creates a container image, and an application container engine or runtime hosts (runs) the image.

Application encryption - A method of protecting data where the application software itself performs encryption and decryption operations. This contrasts with Transport Layer Security (TLS), which encrypts data in transit when establishing a secure connection, and with cloud services that offer transparent encryption for data at rest.

Application event logs - Structured records of events and activities generated by software applications, capturing information such as error messages, user interactions, system events, and application-specific data.

Application Programming Interface (API) - A method allowing two computers to communicate over a network, such as a mobile app fetching weather data from a centralized weather forecasting system.

Appsecret proof - An additional layer of security for API calls to Meta. A developer generates a parameter (the appsecret proof) that shows they possess the app secret. It is created using a hashing function based on the app secret and access token. Configuring an app to require appsecret proofs during Graph API invocations reduces the risk from a breach of user access tokens, as they cannot be used without the additional appsecret proof parameter.

B

Backend environment - In system architecture, the frontend refers to the part of the system that runs on user devices, whereas the backend refers to the part that runs remotely on servers controlled by the developer or a hosting provider. Backend environments typically reside in the cloud or data centers, with network, compute, and storage resources.

Backend as a Service (BaaS) - A style of cloud computing that provides server-side capabilities so app developers can focus on building the frontend. BaaS solutions are similar to PaaS but add services like user authentication and mobile push notifications (e.g., AWS Amplify, Azure Mobile Apps, Firebase, MongoDB Stitch).

C

Client side - Refers to internet-accessible services that people interact with using a browser or mobile app. Clients make requests to remote servers over the internet.

Cloud computing - A style of managing server computers, networks, and storage without needing to worry about the physical environment, allowing organizations to provision assets on demand and pay only for the services they consume.

Cloud configuration - The set of cloud computing options an organization sets for their use of a cloud provider. This includes configurations such as allowed network connections, log file retention, and authorized users.

Compensating controls - A security control that differs from a baseline set of requirements but delivers comparable protection against a risk.

D

Database - Software that allows arbitrary data to be stored, read, updated, and deleted. Organizations often store data fetched from the Graph API in a server-side database.

Decryption - The process by which encrypted data is transformed back into its original format, converting cipher text into plain text.

Dynamic Application Security Testing (DAST) - A program used by developers to analyze a web application (web app) in runtime and identify security vulnerabilities or weaknesses.

E

Encryption - The process of transforming data into an unusable format for unauthorized users, converting plain text into cipher text.

Encryption at rest - Data that is protected with encryption when written to persistent storage (e.g., disk drives). This adds a layer of protection against unauthorized access by ensuring the data appears as cipher text without access to the decryption key.

Encryption in transit - Data that is encrypted when transmitted across a network, protecting it from eavesdropping by displaying cipher text unless the actor has access to the decryption key.

End of Life (EOL) software - Software that is no longer supported by its developer, meaning security patches and updates are no longer provided. Running EOL software is risky.

G

Graph API - The primary way apps read and write to the Meta social graph. All Meta SDKs and products interact with the Graph API.

H

Hashing function - A cryptographic function that takes any data as input and outputs a short code that cannot be reversed into the original input. Hashing is often used to protect sensitive data like passwords.

I

Identity Provider (IdP) - A cloud service that centralizes the management of digital identities and authenticates users. Organizations use IdPs to manage user accounts and app access centrally.

Identity and Access Management (IAM) - A set of tools and processes used to manage accounts and grant access to systems.

Infrastructure as a Service (IaaS) - A cloud computing approach allowing customers to configure computing, storage, and networking services without managing the physical infrastructure.

L

Library - Pre-existing software building blocks used by developers to handle tasks within apps or systems. Libraries simplify development but may contain security vulnerabilities that must be managed.

M

Mobile client or mobile app - An app installed on a phone or tablet from a mobile app store, often communicating with an organization’s REST API or other services (e.g., the Facebook SDK for Android).

Multi-Factor Authentication (MFA) - An authentication approach that requires more than one factor (e.g., password and code) to gain access to an app or system, adding security against account takeovers.

N

Native software - Apps that are downloaded and installed onto devices (e.g., the Facebook app for iOS). In contrast, web apps run inside browsers without installation.

Network compromise - Occurs when a malicious actor gains unauthorized access to an organization’s internal network through a misconfiguration or vulnerability. Network scans are a defense. See also application compromise.

Network scan - A process that identifies active servers on a network and checks for outdated software or open ports that may be vulnerable to security exploits.

Node Package Manager (NPM) - A tool used by JavaScript developers to speed up development by including pre-built packages. NPM audits packages for known security vulnerabilities.

O

Object storage buckets - A type of persistent storage in the cloud that allows organizations to store large files without worrying about scaling physical assets or backing up files.

Organization member - A person with a role and responsibilities within an organization, such as an employee, contractor, intern, or volunteer.

Organizational device - A computer or mobile device used by an organization member in the course of their work.

P

Penetration test - A simulated attack on an app or system where the tester attempts to find vulnerabilities that could be exploited. Pen testers use similar tools to cybercriminals and create a report of findings for the organization to fix.

Plain text - Unencrypted data that has not been protected by encryption. Platform as a Service (PaaS) - A cloud computing model where customers deploy applications into a managed platform. PaaS simplifies management by handling the physical infrastructure and operating system (e.g., AWS Elastic Beanstalk, Google App Engine).

Platform Data - See the definition in Meta’s Platform Terms. Platform Term 6.a.i - Refers to Meta’s Platform Terms section (6) heading (a) paragraph (i), which describes platform developers’ obligations related to data security.

Port - When a client makes a connection to a server over the internet the destination address has two parts: (1) an Internet Protocol (IP) address for the server and (2) a port number on that server that a particular application will respond to. Common protocols use reserved ports (e.g., HTTPS uses 443) but a developer can use custom ports for network communications if desired.

R

REST API - A widely adopted style of building web-accessible services where the client and server communicate using the HTTP protocol. A developer on the Meta platform might host a REST API on a subdomain like api.example.com that their mobile app sends and receives Platform Data to/from.

S

Secure Shell (SSH) - A secure communication protocol that allows administrators to remotely log into servers and run programs. It’s called "secure" because it encrypts communication between the client and server, protecting against eavesdropping, unlike older protocols such as Telnet. Also known as Secure Socket Shell.

Secure Sockets Layer (SSL) - An outdated and insecure encryption protocol for data in transit. It has been replaced by Transport Layer Security (TLS), which provides more robust security. Security Information and Event Management (SIEM) - Technology that supports threat detection, compliance, and security incident management by collecting and analyzing security events in real-time and historical contexts, along with other event and contextual data.

Serverless Computing - A cloud computing model where the cloud provider manages the physical infrastructure, operating system, and containerization, leaving the developer responsible only for their custom code, libraries, and configuration.

Server Side - Refers to data or computations performed on a remote server, in contrast to client-side operations, which occur on local devices like laptops or mobile phones.

Single Sign-On (SSO) - A system where multiple apps rely on a centralized user directory, typically an Identity Provider (IdP), to authenticate users. This streamlines account management and allows users to log in with one set of credentials for multiple apps.

Software Development Kit (SDK) - A set of tools and pre-written code that developers can use to simplify the development process. For example, Meta provides SDKs to streamline interaction with the Graph API for iOS and Android developers. Like libraries, SDKs need to be updated regularly to stay secure.

Software as a Service (SaaS) - A cloud-based service model where users access apps over the internet. Unlike PaaS or IaaS, SaaS customers don’t deploy custom code or manage app configurations, updates, or patches. Examples include Dropbox, MailChimp, Salesforce, and Slack.

Static Analysis - See Static Application Security Testing (SAST).

Static Application Security Testing (SAST) - A method for finding vulnerabilities in software by analyzing its source code. SAST tools identify potential issues (e.g., those in the OWASP Top 10), which developers then review, confirm as valid, and fix. Unlike penetration tests, SAST doesn’t assess vulnerabilities related to the app’s production environment.

System Administrator Audit Logs - See Admin Audit Logs.

T

Transparent Data Encryption - A type of encryption at rest typically used for database storage, including database contents and log files. The database software manages encryption keys and handles encryption and decryption automatically during data writes and reads.

Transport Layer Security (TLS) - A protocol for securing data in transit over networks by encrypting communications, protecting them from eavesdroppers. TLS is the modern replacement for the obsolete SSL protocol.

Two-Factor Authentication (2FA) - See Multi-Factor Authentication (MFA).

V

Vault - A system for managing sensitive data such as encryption keys, access tokens, and credentials. Vaults tightly control access to this data and often include features like audit logs to track access.

Virtual Machine (VM) - A software-based emulation of a computer that runs on a host called a hypervisor. Unlike application containers, VMs include an operating system. Both VMs and containers can run applications and their dependencies.

Virtual Private Cloud (VPC) - A private cloud environment within a public cloud provider’s infrastructure, resembling traditional data center networks. The term is widely used by AWS.

Vulnerability - A flaw in an app or system that could be exploited to gain unauthorized access, manipulate data, or cause other harm.

Vulnerability Disclosure Program (VDP) - A process where organizations encourage researchers to report security vulnerabilities. The organization then addresses these issues before they can be exploited by malicious actors. A successful VDP requires active researchers, analysts to review disclosures, and cybersecurity engineers to implement fixes.

Vulnerability Scan - An automated tool used to identify vulnerabilities in systems, networks, or apps. Vulnerability scans are typically more cost-effective than penetration tests and can be run regularly (e.g., monthly or quarterly). However, penetration tests often uncover vulnerabilities that automated scans miss. See also Network Scan.

W

Webapp - A web application that runs inside a browser and is composed of resources like HTML, JavaScript, media files, and CSS for styling. Unlike mobile apps that are downloaded and installed, webapps are accessed directly via a browser (e.g., www.facebook.com), eliminating the need for installation.